auditing files which are executed?
Matthew Booth
mbooth at redhat.com
Fri Jan 18 22:49:38 UTC 2008
Brennan, William C wrote:
> Okay, I’m a newbie, so excuse this question if the answer seems obvious.
>
>
>
> I’ve looked at auditctl to see how it can help us audit several
> different conditions, but I can’t figure out how to do the following:
>
>
>
> How do I configure parameters for auditctl to make an audit record every
> time a file is executed?
>
On i386:
-a entry,always -F arch=i386 -S execve
On x86_64, you need the above in addition to:
-a entry,always -F arch=x86_64 -S execve
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080118/6fc912a5/attachment.sig>
More information about the Linux-audit
mailing list